Service IAM Roles in Production Accounts

Veeam Backup for AWS launches worker instances in production accounts to perform the following operations:

  • To index EFS file systems.
  • [Applies if enabled in the backup policy or restore settings] To create EC2 image-level backups and to perform restore from EC2 image-level backups.
  • [Applies if enabled in the backup policy settings] To create RDS image-level backups and to perform restore from RDS image-level backups.

To launch worker instances in production accounts, Veeam Backup for AWS uses permissions of backup IAM roles and restore IAM roles. However, the backup and restore IAM roles cannot be used to automatically create IAM roles that will be attached to the launched worker instances for communication with Veeam Backup for AWS. That is why you must either create worker IAM roles manually in the AWS Management Console or instruct Veeam Backup for AWS to do it:

Note

Since you do not choose an IAM role for file-level recovery operations, the role that you specify when enabling worker deployment in production accounts in the restore settings is also used by Veeam Backup for AWS to launch worker instances. That is why this role must be assigned permissions listed in section FLR Worker IAM Role Permissions.

Worker Configuration IAM Role Permissions

By default, Veeam Backup for AWS automatically chooses the most appropriate network settings of AWS Regions in production accounts to launch worker instances when performing EFS indexing and RDS backup and restore operations, as well as the default network settings of AWS Regions to launch worker instances when performing EC2 backup and restore operations. However, you can add worker configurations to specify network settings for each region in which worker instances will be deployed. When creating new worker configurations, Veeam Backup for AWS uses permissions of worker configuration IAM roles to list network settings available in AWS Regions of production AWS accounts. That is why if you add specific worker configurations that will be used to launch worker instances in production accounts, consider that IAM roles specified in the worker configuration settings must be granted the following permissions:

{

   "Version": "2012-10-17",

   "Statement": [

       {

           "Action": [

               "ec2:DescribeAvailabilityZones",

               "ec2:DescribeVpcs",

               "ec2:DescribeRegions",

               "ec2:DescribeAccountAttributes",

               "ec2:DescribeSubnets",

               "ec2:DescribeSecurityGroups"

           ],

                     "Resource": "*",

                     "Effect": "Allow"

         }

   ]

}